CanaRy

Problem

This time we added a canary to detect buffer overflows. Can you still find a way to retreive the flag from this program located in /problems/canary_2_dffbf795b4788666d54a993a5e41d145. Source.

Solution

1. BUF_SIZE is 32 bytes so offset by 'a'*32 since canary will be next in stack

2. Leak the canary by running the file on the shell server

3. Paste Canary into on line 13

4. Offset after canary determined using cyclic(24) and cyclic_find() with python2 -c "from pwn import *; print 'a'*32 + 'ex;Y' + cyclic(100)" | ./vuln locally to get offset as 'a'*16.

5. Last 1.5 bytes of display_flag function determined with readelf -s vuln

6. First byte found with gdb by placing a breakpoint at vuln and running which got Breakpoint 1, 0x56622a14 in main () and more importantly the first byte 0x56

7. Loops in hex are used to bruteforce every possible value for the remaining 1.5 bytes and p32 from pwntools is used to convert to little endian

8. Run on shell server by pasting bruteforce_pie function (after running from pwn import *) into python terminal and then running print bruteforce_pie()

9. Flag will appear in a few minutes

10. If the flag doesn't appear after running the program then run it again and it will work (the program doesn't check addresses with zeros in them)

Flag

picoCTF{cAnAr135_mU5t_b3_r4nd0m!_1df5fde9}